MS08-067 Celebrates Another Birthday

A year ago today, SecureState posted a blog wishing MS08-067 a happy third birthday. The vulnerability is a flaw in the Windows Server Service that when a specially crafted RPC request was sent could allow remote code executions. This vulnerability affected Windows 2000, XP, Server 2003, Vista, and server 2008 and has been assigned CVE-2008-4250.

As a Penetration Tester, this vulnerability is sought out because it is highly reliable and very low risk. As an attacker, the simple fact is the attack still works. The vulnerability was widely used in conjunction with the Conficker worm, which affected more than 9 to 15 million systems. This vulnerability is loved by Penetration Testers and hackers so much that during DerbyCon 2.0, an actual birthday party was thrown.

What’s the big deal? It is 2012! As SecureState consistently discovers, the simple fact is there are unpatched systems still out there. From systems buried in corporate environments, to others just sitting there on the internet waiting to be compromised, this vulnerability just doesn’t want to die. Why aren’t they patched yet? Let’s look at the simple math of patching a large corporate environment. If a large corporation has 10,000 systems that can be affected by MS08-078, and all but 1 percent are patched, that leaves 100 systems vulnerable. A corporation might not even be able to patch this issue depending on what legacy equipment is being used or depending on the size of the environment they may not even know the systems are vulnerable.
Relying on antivirus (AV) to protect the system is just not enough. Metasploit, which is commonly used to exploit this vulnerability, has some of the best AV avoidance encoding around. The only solutions are to patch and protect sensitive ports.

While this vulnerability is typically more of a problem with large companies just based on the numbers of systems to update, SecureState recently found and exploited MS08-067 to achieve a compromise of a small company.

During the Assessment, SecureState identified numerous SQL Injection vulnerabilities on their external web applications. Most of the areas where injection was found, the database user was a lower privileged account which meant that system compromise was not possible; however it was still possible to retrieve data from the database that the user had access to. This included internal information from an intranet database as well as customer information. One of these vulnerabilities allowed SecureState to retrieve a large list of usernames from a backend database which was used in subsequent attacks to brute force passwords.

Using the list of users obtained from one of the SQL Injection vulnerabilities, SecureState began a reverse brute-force attack against their webmail and discovered one account with a weak password. SecureState used this account to access a Citrix application called “My Desktop”. By using this application, SecureState had full remote access to a workstation on the internal network.

Using the compromised workstation as a pivot point, SecureState began to target the internal network. SecureState found two systems that were missing the MS08-067 patch from four years ago. By exploiting this vulnerability SecureState was able to get system level access to these hosts. SecureState identified that a Kerberos token for a domain administrator was still accessible on one of these systems. At this point, SecureState was able to leverage this token and gain complete administrative access to the entire domain and all systems and sensitive information stored on them such as client data.

So here’s wishing MS08-067 a happy fourth birthday, with no funeral date in sight.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.